CVE-2026-55698 pnpm: Project env lockfile can short-circuit package-manager resolution and execute lockfile-selected pnpm bytes

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, pnpm can persist package-manager bootstrap metadata in the first YAML document of pnpm-lock.yaml. Before the patch, direct pnpm execution trusted an already resolved packageManagerDependencies entry when the committed env lockfile contained...

MAL-2025-47715 Malicious code in pnpm_lockfile_file_v9 (npm)

--- -= Per source details. Do not edit below this line.=-...

Malicious code in pnpm_lockfile_file_v8 (npm)

--- -= Per source details. Do not edit below this line.=-...